FortiGate Offline License Activation: The Hidden Procedures Behind Air-Gapped Deployment

February 03, 2026.

FortiGate activate license offline: verified procedures for air-gapped networks, FortiManager proxy setup, manual upload steps, and version-specific requirements.

The Reality of Deploying Firewalls in Isolated Networks

Organizations operating in classified, industrial, or highly regulated environments frequently deploy FortiGate firewalls without direct internet connectivity. This architectural decision—while essential for security—introduces a critical operational challenge: license activation. Without proper licensing, FortiGuard services remain dormant, threat intelligence feeds stall, and the appliance functions at diminished capacity. The question persists: how do administrators activate FortiGate licenses when the device cannot reach Fortinet's validation servers?

Understanding the Licensing Architecture

Fortinet's licensing model relies on periodic validation against the FortiGuard Distribution Network (FDN). In standard deployments, the FortiGate contacts FDN directly. In air-gapped environments, this pathway is intentionally severed. Fortinet provides two sanctioned alternatives, each with distinct prerequisites and version dependencies.

FortiManager as an Internal FortiGuard Proxy

The most robust solution for persistent offline operations involves deploying FortiManager as an intermediary validation server. This architecture requires:

• A FortiManager instance with initial internet access to synchronize license contracts and signature databases
• Network connectivity between the offline FortiGate and FortiManager
• FortiOS 7.0 or later on the managed FortiGate

Configuration proceeds through CLI commands on the FortiGate:

config system central-management     set type fortimanager     config server-list         edit 1             set server-type update rating             set server-address <fortimanager_ip>         next     end     set include-default-servers disable end 

For virtual machine licenses lacking a hardware bundle, administrators may upload the license file via TFTP:

execute restore vmlicense tftp <filename>.lic <tftp_ip> 

Following upload, the FortiGate reboots and completes registration through FortiManager. On the management side, administrators must enable the fgtupdates service access on the management interface and use the Discover wizard to register the device. A critical caveat: authorizing devices directly from the Unregistered Devices list may cause connection stalls. Allow the initial authorization attempt to timeout before proceeding with manual discovery.

Manual License Upload via Product Entitlement Files

Starting with FortiOS 7.2, Fortinet introduced limited support for manual license upload in air-gapped scenarios. This method applies exclusively to hardware appliances in FortiOS 7.2; FortiOS 7.4 extended support to virtual machine licenses.

The procedure requires an internet-connected system at some point in the workflow:

1. Register the FortiGate serial number on FortiCloud via an internet-connected workstation
2. Navigate to Products → Product List, select the device serial number
3. In the License & Key section, download the product entitlement file (format: FG[SERIAL]ProductEntitlement.lic)
4. Transfer the file to the offline FortiGate via secure removable media
5. In the FortiOS GUI, navigate to System → FortiGuard and select Upload License File
6. Select the entitlement file and apply changes

Upon successful upload, the FortiGate validates the cryptographic signature embedded in the license file and activates subscribed services locally. Status indicators transition from "Pending" to "Active" without external validation.

Version-Specific Constraints and Capabilities

Administrators must verify their FortiOS version before selecting an activation method. Execute get system status to confirm the running firmware. Key version distinctions include:

• FortiOS 7.0 and earlier: No native offline upload capability; FortiManager proxy required
• FortiOS 7.2: Manual upload supported for hardware appliances only; VM licenses remain dependent on external validation
• FortiOS 7.4 and later: Manual upload extended to VM licenses; enhanced support for private cloud deployments

Attempting manual upload on unsupported versions results in silent failures or persistent "Pending" status indicators. Similarly, applying a VM license file on FortiOS 7.2 without subsequent FortiManager or FDN validation renders the license inactive despite successful file upload.

Common Implementation Pitfalls

Several recurring issues undermine offline activation attempts:

Missing Upload Option in GUI: The Upload License File control appears only on FortiOS 7.2+ hardware appliances. Administrators on earlier versions or VM deployments may incorrectly assume the feature is unavailable rather than version-restricted.

License File Format Confusion: Product entitlement files follow a strict naming convention. Deviations—such as renaming the file or extracting contents—invalidate the cryptographic signature. Transfer files without modification.

FortiManager Authorization Timing: Premature authorization of unregistered devices disrupts the discovery handshake. Allow timeout cycles to complete before initiating manual device addition through the Device Manager interface.

Initial Registration Dependency: Both activation methods require the FortiGate serial number to be registered on FortiCloud at least once. Organizations planning permanent air-gap deployment should complete this registration during initial procurement, before network isolation.

Frequently Asked Questions

Can I activate a FortiGate license with zero internet access at any point?
No. All activation pathways require initial registration of the device serial number on FortiCloud, which necessitates internet connectivity. This step may be performed on a separate, internet-connected system before transferring configuration artifacts to the isolated environment.

Does manual license upload work for all FortiGate models?
Manual upload via the GUI is supported on hardware appliances running FortiOS 7.2.0 or later. Virtual machine licenses gained manual upload support starting with FortiOS 7.4. Older firmware versions require FortiManager proxy configuration regardless of appliance type.

What happens if my offline FortiGate license expires?
Expired licenses cease receiving FortiGuard service updates. The appliance continues forwarding traffic according to existing policies but loses access to real-time threat intelligence, web filtering categories, and antivirus signature updates. Renewal requires repeating the entitlement file download process on an internet-connected system and re-uploading to the offline device.

Can FortiManager operate completely offline after initial setup?
Yes. Once FortiManager synchronizes license contracts and signature databases, it can service offline FortiGate units indefinitely. However, signature freshness degrades over time. Best practice involves periodic, controlled internet access for FortiManager to retrieve updated definitions, then distributing them internally to managed devices.

Is there a CLI-only method for offline license activation?
Yes. Administrators may upload VM licenses via TFTP using the execute restore vmlicense command. Hardware appliance licenses typically require GUI interaction for manual upload, though FortiManager-based activation can be completed entirely via CLI when properly configured.